In a digital era where data privacy has become paramount, organisations are under increasing scrutiny to ensure they handle customer data responsibly. One essential aspect of data protection is something that may not come to mind immediately but is vitally important, and this is the handling of and response to Subject Access Requests (SARs).
DSARs grant individuals the right to access the personal information that is held by organisations. However, handling DSARs can be a complex process, and organisations must navigate the complex landscape carefully to ensure that they adhere to stringent data protection regulations, such as the General Data Protection Regulation (GDPR).
Unfortunately, companies are currently struggling to walk this line, with the Information Commissioner’s Office (ICO) recently announcing that it had received over 15,000 Subject Access complaints last year alone. This has led to them publishing new guidance for businesses and employers, stating that many organisations are misunderstanding or underestimating the importance of responding to requests.
Why are organisations having so much trouble?
The Problem With Fulfilling DSARs
Firstly, completing a DSAR request means tackling several sets of tasks, which more often than not, needs the expertise or system access of your IT team to carry them out. Unfortunately, we already know that IT departments are overloaded, and offloading DSARs to them means a heightened workload for already busy individuals, taking attention away from critical security operations and delaying the fulfilment of requests. With GDPR specifying a one-month period in which to respond to DSARs, organisations that experience these delays and fail to meet the timeline risk being fined up to 4% of their global revenue.
This isn’t the only monetary concern - the costs of managing DSARs is increasing too. A 2020 survey conducted by privacy experts has shown that 41% of them estimated the average cost of a subject access request to be between three and six thousand British pounds. As the operational cost of managing requests becomes too high for businesses to consistently meet, the greater the chance is of them receiving a monetary fine, therefore reducing their accessible funds to complete incoming DSARs and creating an unbreakable cycle.
Finally, businesses must be careful to adhere to GDPR while fulfilling subject access requests. This includes prioritising the security of the subject’s data and having the means to properly protect sensitive outbound information.
To counteract these issues, businesses need to be asking themselves:
- How can we carry out DSAR-related tasks quickly and efficiently without burdening already busy teams?
- How can we minimise the costs associated with fulfilling requests?
- How can we return DSAR data securely and without contravening the very data law it is captured in?
Let’s look at the key ICO guidance to answer these questions.
Authenticating Incoming Subject Access Requests
One of the primary concerns in the DSAR process is ensuring the authenticity of the individuals making the requests, with identity verification of the data subject being crucial to preventing unauthorised access to sensitive information.
The ICO says: “To avoid personal data about one individual being sent to another, either accidentally or as a result of deception, you need to be satisfied that: you know the identity of the requester (or the person the request is made on behalf of); and the data you hold relates to the individual in question (eg when an individual has similar identifying details to another person)."
You should always ask for enough information to judge whether the requester (or the person the request is made on behalf of) is the person that the data is about.
To achieve this, organisations should implement robust authentication procedures to validate the identity of the requestor, either by employing multi-factor authentication or asking for additional forms of identification.
Sending The Requested Data Back To The Subject
Once the requester's identity has been verified, the next challenge is securely transmitting the requested information to them. Data protection laws emphasise the importance of maintaining confidentiality and preventing unauthorised disclosure. To comply with GDPR and similar regulations, organisations must implement secure channels for sharing personal data in response to DSARs.
The ICO says: “The security measures you need to take to send information securely as part of a subject access request (SAR) depend on the type of information you’re planning to send and what you think the risk is to the data. As a general rule, if a SAR was made to you by email, then there’s an expectation that you’ll reply by email, too, unless the person says otherwise.”
When a subject access request is made by email, an innately unsecured channel of communication, how do you send sensitive information back securely? The most effective way is to employ a strong email encryption protocol which protects data on the move and at rest and prevents interception from malicious third parties.
Reducing Costs And Meeting Deadlines
Businesses are currently struggling to complete the DSAR process in a timely and cost-efficient manner, without overburdening teams and all within the one-month deadline. Organisations need a solution that can help personnel fulfil the above stages without needing to turn to their IT department and which can authenticate and reply to requests without breaking the bank. This is where the power of secure email comes in.
Our secure email solution, Mailock, offers users end-to-end encryption and multi-factor authentication capabilities, allowing them to send sensitive information securely and verify the identity of recipients before they can view the data. Already heavily utilised within regulated industries such as Financial Services, Mailock is an intuitive and easy-to-use software that everyone can use, ensuring compliance, enhanced efficiency, and expediting the response to DSARs.
By proactively addressing the challenges faced during the DSAR process, businesses can uphold data security, protect customer trust and avoid costly regulatory fines.
Paul Holland
Previous post